ci: fix CodeQL Python analysis failure — upgrade to v4 and set explicit source-root

[BrendanWalsh]

Problem

The Analyze (python) CodeQL job fails during the pre-finalize step:

Running pre-finalize script in /home/runner/work/SynapseML/SynapseML.
A fatal error occurred: Invalid working directory: /home/runner/work/SynapseML/SynapseML.

The runner's actual checkout path is /home/runner/work/microsoft-SynapseML/microsoft-SynapseML (reflecting the repo's internal directory name), but CodeQL v3's pre-finalize script derives the source root from the old path — causing a mismatch.

The JavaScript analysis is unaffected because the JS extractor doesn't use the same pre-finalize script.

Fix

1. Upgrade github/codeql-action from v3 → v4 — v4 has improved path resolution and also addresses the Node.js 20 deprecation warning that appears on every run.

2. Explicitly set source-root: \${{ github.workspace }} in the init step — ensures CodeQL uses the correct checkout path regardless of how the runner names the working directory.

Evidence

Run	Branch	Event	Python Result
23781044305	openssf/pin-dependencies	PR	❌ Invalid working directory
23780923070	openssf/improve-sast-coverage	PR	❌ Invalid working directory
23777885308	fix/langchain-max-tokens-null	PR	✅ (runner used old path)

The failure occurs when the runner assigns the microsoft-SynapseML directory name, which is becoming more common.

[github-actions]

Hey @BrendanWalsh 👋!
Thank you so much for contributing to our repository 🙌.
Someone from SynapseML Team will be reviewing this pull request soon.

We use semantic commit messages to streamline the release process.
Before your pull request can be merged, you should make sure your first commit and PR title start with a semantic prefix.
This helps us to create release messages and credit you for your hard work!

Examples of commit messages with semantic prefixes:

• fix: Fix LightGBM crashes with empty partitions
• feat: Make HTTP on Spark back-offs configurable
• docs: Update Spark Serving usage
• build: Add codecov support
• perf: improve LightGBM memory usage
• refactor: make python code generation rely on classes
• style: Remove nulls from CNTKModel
• test: Add test coverage for CNTKModel

To test your commit locally, please follow our guild on building from source.
Check out the developer guide for additional guidance on testing your change.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA a229cfa.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/codeql.yml

Package	Version	License	Issue Type
github/codeql-action/analyze	4.*.*	Null	Unknown License
github/codeql-action/autobuild	4.*.*	Null	Unknown License
github/codeql-action/init	4.*.*	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/github/codeql-action/analyze	4.*.*	Unknown	Unknown
actions/github/codeql-action/autobuild	4.*.*	Unknown	Unknown
actions/github/codeql-action/init	4.*.*	Unknown	Unknown

Scanned Files

• .github/workflows/codeql.yml